News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

does SMF use Content Security Policy (CSP) ?

Started by aegersz, October 12, 2018, 06:10:32 PM

Previous topic - Next topic

aegersz

i have been looking into XSS > https://excess-xss.com and wondered if CSP has been implemented.

i noticed that Simple Portal doesn't strip HTML tags off Shoutbox posts after i added HTML support but then promply turned it off.

This got me thinking about hardening my web page serving.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Kindred

Since shoutboxes are not a part of core smf, you would have to complain to the mod author about that.

Smf cleans all data thatbis submitted to it, unless a mod breaks that
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

aegersz

yes i was planning to but i feel safe now that i disabled it.

don't want to complain too much  :)
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

aegersz

well, i took your advice and discussed this]https://simpleportal.net/index.php?topic=14571]this with SP and this is what I did after re-enabling HTML:

1. Exempt Admins box ticked
2. Regex Filter is (array('#<html>#','#</html>#m'),array(' ',' ')


(btw, if i use the exact same text of my reply from SP on this forum, I get a light blue box that says:
! Some of the links in your post were not found or match more than one topic or member. Please use the id instead.
"b]ticked[/b": not found.
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

aegersz

#4
... and

2. edited my regex filter to this: (array('#<html>#m','#</html>#m'),array(' ',' ') (added 'm' for the start tag as i forgot it earlier).

3. added a regex callback expression also: preg_replace('/<html[^>]+?[^>]+>|</html>/i','',$m[0]) (courtesy of Simple Portal).

see more on Callback > https://www.exakat.io/the-art-of-php-callback/
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Aleksi "Lex" Kilpinen

Quote from: aegersz on October 15, 2018, 02:55:20 PM
(btw, if i use the exact same text of my reply from SP on this forum, I get a light blue box that says:
! Some of the links in your post were not found or match more than one topic or member. Please use the id instead.
"b]ticked[/b": not found.

That would be our "wikilink" functionality playing tricks on you I think.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

aegersz

The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Aleksi "Lex" Kilpinen

We have some extra functionality here to help us work.

For example

[ [ t:562619 ] ]

Without the extra spaces, turns to

does SMF use Content Security Policy (CSP) ?
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

aegersz

got it; fair enough. cool tools for the staff ? ... and why not !
The configuration of my Linux VPS (SMF 2.0 with 160+ mods & some assorted manual tweaks) can be found here and notes on my mods can be found here (warning: those links will take you to a drug related forum). My (House) music DJ dedication page is here

Aleksi "Lex" Kilpinen

Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

I like how there is an assumption that one needs to use <html> to indicate HTML, when the page already ships with an html tag and nested tags aren't legal without frames or iframes.

Advertisement: